Analysts: Free Zeus Kit Will Mean More Malware

The release of Zeus’ source code means more cyber-criminals will soon be using the infamous banking Trojan

The source code for the Zeus banking Trojan has been leaked on the Internet, which will allow pretty much anyone interested in crafting a malware attack to do so, provided they know where to look.

The complete source code for the Zeus malware kit is being freely distributed as a ZIP file on several underground forums, Peter Kruse, a security researcher with Danish security firm CSIS, wrote on the company blog on 9 May. Kruse downloaded the ZIP file, compiled the code and confirmed it worked “like a charm”.

Cheaper malware

Previously, cyber-criminals interested in setting up their own Zeus botnets had to buy the malware kit from closed underground forums. As crimeware kits go, Zeus was fairly expensive, costing roughly $5,000 (£3,000) for the ability to download malware, inject fields into forms and log victims’ keystrokes. It has been used in a number of targeted attacks using several attack vectors, including SMS, spam and rogue websites.

“We can hereby confirm that the complete Zeus/Zbot source code is freely available for inspection, inspiration or perhaps to be compiled and used in future attacks,” Kruse wrote.

The code is not so readily available that any kid can get a hold of it, Kevin Stevens, a senior threat engineer at Trend Micro, told eWEEK. It has been leaked to various groups for more than a month but became more open just a few days ago. Stevens even saw a “few people” sharing the code within their LinkedIn groups.

It “lowered the bar of entry” for malware authors who want to create banking Trojans, Pierre-Marc Bureau, a senior researcher at ESET, told eWEEK, because now they can just download the code and compile it without having to pay for it. Any junior programmer can now easily copy-and-paste desired functionalities and include them in another malware application, thereby creating a new Zeus variant.

Zeus capabilities

Aviv Raff, CTO of Seculert, told ThreatPost that it is possible that the recent Mac OS Trojan exhibiting Zeus-like features may have copied portions of the code after it was publicly released.

The Zeus copy-cats, when they come, shouldn’t be too hard to recognise and analyse, since “most of the tricks have already been studied through reverse engineering”, according to Bureau.

The availability of the source code won’t give security researchers any advantage over cyber-criminals. Zeus has been updated continuously over the “past not-quite-three” years, so researchers have already been looking at samples “non-stop since then”, Aryeh Goretsky, distinguished researcher at ESET, told eWEEK. However, the actual code may give researchers insight into the “psychology” of the original Zeus creator.

“Anti-malware is, in some sense, like playing 100,000 games of chess a day, and having some understanding of your opponents’ thought processes can be of some benefit,” Goretsky said.

Researchers speculated the code may have been leaked to create more complicated Zeus variants. Zeus botnets are notoriously difficult to shut down because each network operates independently of each other. Shutting down one operation doesn’t affect all the other Zeus variants merrily stealing funds from victims’ bank accounts.

“If the leak was intentional, it could be an attempt to flood the market with one-off variants Zeus-based malware,” van der Horst said. Such an increase in malware volume would create a lot of “noise” that may distract security researchers from noticing the next generation of stealthy malware, according to van der Horst.

After the Spyeye Trojan started exhibiting some Zeus capabilities, many researchers speculated that there would be no more active development on Zeus. Kaspersky Lab researcher Dmitry Trakanov reported in March that Zeus was still being modified.

A common way for criminals to attack people is via websites, unfortunately this includes legitimate sites that have been hacked or compromised in some way. This puts your visitors and your reputation on the line, so every website owner needs to understand the risks posed by cybercrime and how to prevent it. This essential survival […]

Small and midmarket organizations depend on their data as much as large enterprises depend on theirs—but the right tools for protecting a smaller organization’s data are not enterprise tools with reduced feature sets and price tags. Organizations of all sizes need to understand their exposure caused by mediocre protection, and then utilize “right-sized” technologies that […]

The network security paradigm is currently shifting toward a new reality as advanced hacking methods become more prevalent and harder to detect. An example of such a method is advanced evasion techniques (AETs). Although evasions have been documented extensively in the last 15 years, security vendors have systematically ignored the significance of evasions. Some vendors […]

The advent of the Internet has resulted in an ever-expanding data ecosystem. Unfortunately, this has also led to an increase in data breaches and identity theft. While attackers are still motivated by crime (to gain money), politics (to gain power and influence), and espionage (to gain market advantage), they also want to steal your information […]